When list=allusers is used with auactiveusers, a property 'recenteditcount'
is returned in the result. In bug 67301[1] it was pointed out that this
property is including various other logged actions, and so should really be
named something like "recentactions".
Gerrit change 130093,[2] merged today, adds the "recentactions" result
property. "recenteditcount" is also returned for backwards compatability,
but will be removed at some point during the MediaWiki 1.25 development
cycle.
Any clients using this property should be updated to use the new property
name. The new property will be available on WMF wikis with 1.24wmf12, see
https://www.mediawiki.org/wiki/MediaWiki_1.24/Roadmap for the schedule.
[1]: https://bugzilla.wikimedia.org/show_bug.cgi?id=67301
[2]: https://gerrit.wikimedia.org/r/#/c/130093/
--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
Hello,
Since the early days of REST API it provides two features that haven’t been widely used neither internally in the WMF nor by the community. Today in a clean-up pass over the API we have decided to deprecate and eventually remove those features to allow some long-needed refactorings and stability improvements of other, more important, endpoints.
The first one is the ability to query metadata about the page via the `/page/title/{title}`~[1] endpoint. The metadata includes properties like the latest revision number of the page, user who have made the last edit, whether the page is a redirect and similar. The backend storage model used to power the feature is quite unique in the system and has a significant maintenance cost without providing a clear benefit to users.
Another feature that’s never found it’s audience is the ability to get listings of revisions, titles and renders stored in RESTBase. These listings suffer from scaling issues and cannot work reliably with the data model we have.
We have, hence, opted to remove these unused and complex endpoints until there is some actual need for this data in the REST API when we can design and implement them better. Here’s the list of endpoints that are now deprecated and will be removed on May, 1st 2017:
• /page/title/
• /page/title/{title}
• /page/title/{title}/
• /page/revision/
• /page/revision/{revision}
In case you are using them please switch to using the MediaWiki Action API. In case you need assistance or have questions, feel free to reply to this e-mail or contact the Wikimedia Services team~[2].
Best regards,
Petr Pchelko
Software Engineer
Wikimedia Foundation
[1] https://en.wikipedia.org/api/rest_v1/#!/Page_content/get_page_title_title
[2] https://www.mediawiki.org/wiki/Wikimedia_Services
As was previously announced, passing the lgpassword or lgtoken parameters
to action=login in the query string rather than the POST body will begin to
return an error starting with 1.29.0-wmf.13. See
https://www.mediawiki.org/wiki/MediaWiki_1.29/Roadmap for the deployment
schedule.
On Mon, Oct 31, 2016 at 2:44 PM, Brad Jorsch (Anomie) <bjorsch(a)wikimedia.org
> wrote:
> Over the past 30 days, there has been exactly one hit to
> action=clientlogin with sensitive data in the query string, and none to
> action=createaccount, action=linkaccount, and action=changeauthenticationdata.
> Beginning in 1.29.0-wmf.1 (to be deployed this week) these actions will now
> begin throwing errors if sensitive fields are included in the query string.
>
> Over the past 30 days, logins have been attempted via action=login for 28
> different user names[1] with sensitive data (lgpassword or lgtoken) in the
> query string. This will continue to work for now; my current plan is to
> turn that warning into an error on February 15, 2017.
>
>
> [1]: I can't post the list publicly at this time. If you want to know if
> you're one of the 28, put your user agent into https://meta.wikimedia.org/
> wiki/Special:ApiFeatureUsage and look for "login-params-in-query-string".
>
>
> On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie) <
> bjorsch(a)wikimedia.org> wrote:
>
>> For improved safety, passwords and other sensitive fields for
>> authentication should not be included in the request URI during a POST.
>> Instead, they should be in the POST body where they are less likely to be
>> included in log files. With the merge of Gerrit change 305545,[1] the API
>> will now produce a warning if such fields are detected in the URI. This
>> should be deployed to WMF wikis with 1.28.0-wmf.16, see
>> https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
>>
>> This affects the following modules and fields:
>> * action=login: 'lgpassword'
>> * action=clientlogin, action=createaccount, action=linkaccount, and
>> action=changeauthenticationdata: Any fields reported as "sensitive" by
>> action=query&meta=authmanagerinfo or by UI or REDIRECT responses.
>> Currently, this affects the 'password' and 'retype' fields.
>>
>> The 'lgtoken' field for action=login will now also issue a warning if
>> placed in the request URI. The error code for other tokens being in the
>> request URI has changed from 'mustposttoken' to 'mustpostparams'.
>>
>> To check if your client's user agent is detected making such submissions,
>> you can also use ApiFeatureUsage[2] and look for
>> '<action>-params-in-query-string' once 1.28.0-wmf.16 is rolled out to
>> wikis your client is logging in to.
>>
>> It is planned that these warnings will be changed to errors during 1.29.
>> Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
>> waiting until it breaks. Thanks.
>>
>> [1]: https://gerrit.wikimedia.org/r/#/c/305545/
>> [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
>> [3]: https://phabricator.wikimedia.org/T142155
>>
>> --
>> Brad Jorsch (Anomie)
>> Senior Software Engineer
>> Wikimedia Foundation
>>
>
>
>
> --
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
>
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation